Credit Card Fraud

&nbsp

graywolf

2:03 pm on Jan 21, 2003 (gmt 0)

Since the middle of December we have had a huge increase in the amount of fraudulent orders. We were doing online validation for orders under $x. They would place the order using a stolen credit card number, and order 2nd day or next day shipping. Once the order was shipped they would contact the shipper and attempt to reroute the order before delivery. I know this then is the shipper’s fault and we have to submit a claim and will be reimbursed. Then we have the problem of disputing with the shipper and keeping track of it, and the real credit card owner disputing the charge with us.

They were interested in merchandise that they could easily sell (IE DVD players, watches that sort of thing), . The email addresses were valid but all from free services (yahoo, hotmail), the orders were all next or 2nd day shipping. We have stopped online authorization for these types of orders, and a human must now approve them.

We have tried contacting law enforcement but with so little for them to go on they weren't highly motivated.

If anyone has any suggestion of ideas to try please share them. If you want it to be confidential send me a sticky mail.

gsx

3:14 pm on Jan 21, 2003 (gmt 0)

No one is bothered - except for yourself. Read these forums and you'll see many people (including me) are in the same/similar boat.

1) You need a contract with a courier that does not allow re-routes once despatch is made. 2) Be very, very wary of anything on yahoo.com email addresses 3) Check IP addresses of orders to check what country they placed the order from. If this does not match with the delivery country, there is usually a problem. 4) If the credit card holder has not charged-back the fee, refund it. When the card-holder complains, you tell your processing company it was an error and has been refunded. They cannot process the chargeback and you do not get the admin charges. This works for most card processor companies.

jaeden

3:20 pm on Jan 21, 2003 (gmt 0)

graywolf,

Not to be punny, but thats a gray area. You have just listed all the tell-tale signs of what the fradulant card-holders to. I've gone so far as to send myself and email whenever someone orders from Miami, because I haven't had much luck there.

Sometimes if I want to investigate myself, I'll go to InfoSpace and do a reverse lookup on either the phone or the address. Sometimes that is revealing. I also go to this phone finder website at [primeris.com...] which can tell what network a phone is on (cell or land), and can identify countries from country codes.

The only leg you may have to stand on is if you do address verification and it comes up positive. If so, you've done your job. I've even gone so far as to call someone when I thought the order was fishy. Many times, the person who ordered just uses their cellphone, and they confirm the order.

Law enforcement is NOT going to help you. I've been told that unless the amount lost is over $50,000 then they won't bother. I did report a loss of $750+ to officials in Miami, however no one called back (and I don't expect them to). If you accept credit cards, then you must include in your budget for the year a line item for chargebacks, because they are inevetible.

DaveN

3:44 pm on Jan 21, 2003 (gmt 0)

I know one merchant that flags anything over $x and if he thinks it fraud he commits fraud by taking the money and not sending the goods.

usually he's ends up in profit from the monies gaining interest before the card is charged back. as he's say's "the only people to lose when your credit card is stolen is the online store. always"

He even once sent a box of dog cr*p instead of $3000 worth of goods the customer didn't even complain

DaveN IMHO I would not do this and won't personally deal with this merchant but sometimes I really think he's right

gsx

7:09 pm on Jan 21, 2003 (gmt 0)

Law enforcement is NOT going to help you. I've been told that unless the amount lost is over $50,000 then they won't bother.

It's like that in the UK also. Only high amounts are looked into. One thing I have been doing is storing all fraud attempts and will drop them off into the Internet Crime Squad (which is only a couple of miles from where I live) every few years. The more evidence they have, the better. Funny enough they have come back to me and taken statements on two particular addresses, because other merchants have complained regularly about this address.

jaeden

8:49 pm on Jan 21, 2003 (gmt 0)

gsx, you've got a point. You know, if Visa and MasterCard would put up a site, like a bulletin board where registered merchants could submit information about orders that were placed on the internet that were fraudulant, I'm sure they could put a few offenders out of commision. That would be really cool, but you know what.... they won't do that, ever.

The reason is, the merchants are the ones getting screwed here, not the credit card company. The credit card companies are still charging the merchants, and adding an admin fee on top of it. They don't do one bit of investigation. So, why would they care to build a central table?

graywolf

9:05 pm on Jan 21, 2003 (gmt 0)

Does anyone have any experience using the three digit number from the back of a credit card for verification? Curious if it has any serious affect on usability/shoping cart abandonment.

wingslevel

9:52 pm on Jan 21, 2003 (gmt 0)

Our fraudulent orders are way down (to almost zero) since we implemented avs (address verification) in late November. Basically, if the billing address provided by the customer doesn't match up with the address that the credit card company has on file, the charge declines.

The bad news is that our declines are now running 12% - up from their historic 5%. Our decline notification email tries to explain that most declines are because of address mismatches - and we encourage the customer to come back and edit their billing address, but it is still a pain for the customer. I'm still not sure how many sales we are losing and whether it is worth it.

Recently I've purchased goods on two sites that asked for the three digit number (4 on amex) - maybe that's a better solution. Like graywolf, I'd like to know if anyone is using this technique.

gsx

10:07 pm on Jan 21, 2003 (gmt 0)

jaeden, it's worse than it initally seems:

at £100 purchase is chargedback, WorldPay charge 4.5%+VAT for processing, this means:

£4.50+VAT=£5.29 processing charges £10+VAT=£11.75 admin charge for chargeback possible £50 customer charge on their card that they are not covered for

As you can see, this is why they do nothing. And they don't lose any goods. The law needs to change - I believe it should be illegal to make profit from illegal activities, but this is what they are doing.

Crazy_Fool

10:58 pm on Jan 21, 2003 (gmt 0)

>>if Visa and MasterCard would put up a site, like a >>bulletin board where registered merchants could submit >>information about orders that were placed on the internet >>that were fraudulant, I'm sure they could put a few >>offenders out of commision

merchant911.org

Crazy_Fool

11:25 pm on Jan 21, 2003 (gmt 0)

>>Does anyone have any experience using the three digit >>number from the back of a credit card for verification? >>Curious if it has any serious affect on usability/shoping >>cart abandonment.

that's teh CVV number - it's used with many online payment processing companies to veryify that the person entering the card details has the card in their possession. because it's printed and not embossed, it won't be copied when the waiter in the restaurant puts your card in the machine. if you get an online order and the CVV number given matches that held by the card issuer, theres a good chance the transaction was made by the cardholder. if it doesn't match, why not? surely if the customer can read those 3 numbers if they have the card in their possession?

unfortunately, many merchants with bank merchant accounts and simple SSL sites collect CVV numbers and store them on the server. because so many servers are run by inexperienced web hosts, servers are often insecure and easily popped open by crackers and fraudsters. with such easy access to card and CVV numbers, you can't rely 100% on CVV.

Crazy_Fool

12:04 am on Jan 22, 2003 (gmt 0)

>>£4.50+VAT=£5.29 processing charges >>£10+VAT=£11.75 admin charge for chargeback >>possible £50 customer charge on their card that they are >>not covered for

none of this is fair or accurate - it's highly misleading to say the least.

the processing (transaction) charges are applied only when transactions are completed (automatically with full-auth or manually with pre-auth). merchants have the option to use pre-auth and reject / ignore fraudulent orders without incurring any transaction fees whatsoever.

if the merchant authorises a transaction that is later charged back, it's entirely the merchants responsibility.

of the £5.29 transaction fee, £0.79 is VAT which goes to HM Customs. WorldPay actually get 1.6% which is £1.60 - the remaining £2.90 goes to the banks and card companies etc for their part in the processing. a substantial proportion of the £1.60 will be spent on worldpay's own costs - staff etc. the profit will be tiny.

of the £11.75 chargeback fee, £1.75 is VAT and goes to HM Customs. the remaining £10 will go towards the admin costs involved in sending you the RFI, answering your queries about the transaction and the chargeback, collecting your RFI response and sending it to the card issuer and so on. don't forget the national minimum wage is £4.20(?) per hour. at best, the £10 charge will only just cover costs.

other online payment processors also have chargeback fees. rates vary, but again, a lot of admin time is spent dealing with them. i doubt very much whether any online processing company makes a penny profit from chargebacks / fraud.

as for the (possible) £50 cardholder liability, this will be charged by the card issuer, not the payment processor. i think the amount and the circumstances in which the fee will be charged will differ between card issuers. i think the actual amount is set (or suggested) by the underwriters for the card issuers. again, nobody can profit from it - the card holder pays the first £50 of any claim, and the card issuer (or their insurer / underwriter) pays the rest. it's a bit like the excess on your car insurance.

quiet_man

I understand that WorldPay will terminate a merchant's account with them if they rack up too many chargebacks. They also require a clear Returns policy on the merchant's site so that customers know they can return or exchange rather than dispute a transaction which would spark a chargeback. These policies are hardly the actions of a company that seeks to profit from more chargebacks.

bcc1234

12:44 am on Jan 22, 2003 (gmt 0)

I think the gateway charges per authorization and the banks just per transaction.

So let's say you pay $0.30 per authorization, $0.01 for avs and 2.53% discount.

In that case you pay $0.31 regardless of whether your choose to capture or not, but you pay the 2.53% only after the settlement.

Visit Thailand

1:29 am on Jan 22, 2003 (gmt 0)

With products like a DVD etc do you really need such quick delivery, would customers not understand that to avoid increasing prices to cover possible cc fraud that you are offering a lter shipping date?

When I buy from Amazon, it really does not matter to me if the books arrive the next day or the following week.

Also (I am only guessing here) but most of your orders are probably domestic (international orders would be strange imho as the orderer would probably get stung for customs duties) and so can they not send you a faxed authorisation - as it is domestc it would not cost users a lot?

When I joined Overture they called me in Thailand which I was impressed with, and I was pleased they were trying to protect my card.

gsx

11:05 am on Jan 22, 2003 (gmt 0)

none of this is fair or accurate - it's highly misleading to say the least.

the processing (transaction) charges are applied only when transactions are completed (automatically with full-auth or manually with pre-auth). merchants have the option to use pre-auth and reject / ignore fraudulent orders without incurring any transaction fees whatsoever.

if the merchant authorises a transaction that is later charged back, it's entirely the merchants responsibility.

Then please explain why they never set up an account with pre-auth. That's how I got stung. For over £3000. WORLDPAY PROCESSED IT, NOT ME.

the card holder pays the first £50 of any claim, and the card issuer (or their insurer / underwriter) pays the rest.

The card issuer pays the rest? Absolute bollocks. The £100 goes BACK to the card issuer. THEY GET THE MONEY BACK - THINK ABOUT IT. They money is NEVER LOST. It goes back down the chain it started from.

And I don't care where the money goes - it's profit for the card issuer, merchant or Visa/Mastercard/AMEX.... The VAT issue is true of any business transaction.

wingslevel

1:35 pm on Jan 22, 2003 (gmt 0)

Although we may disagree about the extent to which card processors profit or lose on fraudulent transactions - the heaviest burden of credit card fraud clearly falls upon the merchant. Unfortunately he is often the one least able to make an assessment about the validity of a charge.

Lextech

2:11 pm on Jan 22, 2003 (gmt 0)

Visa now has a program - "Verified by Visa" to assist in cutting down credit card fraud.

As for my processing (online toy orders), I absolutely require street address, faxed signature, and a phone number that I call to verify the order with. No connection on any of these 3 points - the order is held for verification. No verification - no order.

gsx

2:53 pm on Jan 22, 2003 (gmt 0)

"Verified by Visa" and Mastercard have an equivilant. This should be interesting to watch, because any fraud using these systems, Visa and Mastercard will be held responsible, not the merchant.

I know of some governments that have pushed for this type of system, where Visa/Mastercard are responsible. If they authorise, they are responsible. Too many small businesses have disappeared because of card fraud.

Crazy_Fool

4:38 pm on Jan 22, 2003 (gmt 0)

>>Then please explain why they never set up an account with >>pre-auth. That's how I got stung.

to save you having to RTFM, send an email to pre-auth@uk.worldpay.com

>>The card issuer pays the rest? Absolute bollocks. The >>£100 goes BACK to the card issuer. THEY GET THE MONEY >>BACK - THINK ABOUT IT. They money is NEVER LOST. It goes >>back down the chain it started from.

wrong. the £100 goes back to the card holder. that's what happens when the cardholder charges back. if it went to the card issuer, there wouldn't be any point in the cardholder charging back.

gsx

9:38 am on Jan 23, 2003 (gmt 0)

The customer never pays the £100. Thats what a chargeback is - the cardholder refuses to pay.

1) The card issuer pays the money through the line to the merchant. The customer pays nothing - that's what credit is. 2) The customer eventually gets a bill, but does not pay the amount - charges it back. 3) The money is taken from the merchant back down the line and goes back to the card issuer.

i.e. No-one loses any money except for the merchant. There is only £100 to lose, the merchant loses the £100 and gets charges admin fees on top. The customer loses nothing, Visa/MC lose nothing and the card issuer loses nothing.

P.S. I am on pre-auth, but after being stung. I was asking why they never set an account up with pre-auth? Because they make money from all the merchants that get stung. Simple.

mikie

12:50 am on Jan 25, 2003 (gmt 0)

Anyone processing credit cards needs to join www.merchant911.org. It is free to join. They help Merchants from avoiding fraudsters, and chargebacks.

graywolf

2:14 pm on Jan 29, 2003 (gmt 0)

Since I started this topic just thought I would thank everybody for chiming in. We implemented address verification last week, and have caught the bulk of the frauds, but now we have the paperwork to contend with. We are turning on CVV2/CID later today, and hope to try and stop the bad guys from even getting into the system. I suppose this will negatively effect my conversion rate/basket completion rate, sigh ....

graywolf

Week 1 1% drop off in basket started / completed 2% drop off in checkout started / completed

If there is any major drop I'll post it here. Otherwise if you care to know the reults send me a sticky mail

silverphoenix

8:39 am on Feb 8, 2003 (gmt 0)

How many of the merchants here are using Verified By Visa? How much would it cost to get this service? How much does it cost to integrate it with the website's shopping card/order processing system?

Do you all know that effective April 2003, a merchant is no longer liable for any fraudulent VISA charge as long as the merchant uses Verified by Visa?

Crazy_Fool

12:01 pm on Feb 8, 2003 (gmt 0)

most, if not all online payment processing companies will include verified by visa over the next year or so. credit cards are often issued for 3 or more years at a time, so don't expect an instant stop to online fraud.

silverphoenix

11:15 am on Feb 9, 2003 (gmt 0)

Do you think that because of the shift of liability to issuing banks starting April 2003, some (crooked) merchants will take advantage of this loophole that as long as the payment is through VISA - the merchant is no longer liable?

I say this because effective April 2003, whether or nor the cardholder is registered with Verified by VISA, the merchant is no longer liable as long as the payment instrument is a VISA card.

In otherwords, it is not the merchant's fault that the cardholder has not registered his/her card with VBV. Therefore, any visa payment is fraud free as far as a merchant (with VBV) is concerned.

silverphoenix

11:21 am on Feb 9, 2003 (gmt 0)

replying to crazy fools: "most, if not all online payment processing companies will include verified by visa over the next year or so. credit cards are often issued for 3 or more years at a time, so don't expect an instant stop to online fraud."

Online fraud will never stop but merchant liability for fraudulent visa payments will stop effective April 2003, as long as the merchants processes visa payment with Verified by VISA. Anybody here - using a payment processor with verified by VISA?